Microsoft patches Word zero-day booby-trap exploit

Lynne Hanson
April 13, 2017

This vulnerability was made public on Friday, but cyber security firm Proofpoint found that the said zero-day vulnerability was being exploited in an email marketing campaign.

When the rogue documents used in this attack are opened, they reach out to an external server and download an HTA (HTML Application) file that contains malicious VBScript code.

The way this malware works is through a dummy Word file that is sent via email or downloaded from a certain website.

Critical vulnerabilities have also been patched in Hyper-V, Microsoft's virtualization hypervisor that's included in Windows Server 2008, 2012 and 2016, as well as in Windows 8.1 and 10.

According to the report, the attacks started in January and leverage a vulnerability that hadn't yet been disclosed.

The security company said that it had contacted Microsoft about the vulnerability for several weeks, but did not publicly disclose any details until McAfee chose to reveal all in its blog post.

Uganda charges, jails academic for insulting the president
Museveni who has exercised absolute power for 31 years has also reserved the use of "vulgarity" only for himself in Uganda. Nyanzi is within her constitutional rights and we are for an all-out legal battle with the state to defend her rights".

A Microsoft spokesperson confirmed that the company will issue a fix for the bug Tuesday as part of its monthly release of security fixes and patches.

'Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue.

In its advisory, Microsoft notes, "A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files". OLE, which allows an application to embed other documents or objects, was used in 2014 by an advanced persistent threat group known as Sandworm to target government organizations and infrastructure providers in Europe and North Atlantic Treaty Organisation.

The emails use spoofed email domains and attachments that pretend they are scanned documents to lure users into opening them. This flaw potentially can be exploited by attackers to take complete control of a system running a vulnerable deployment of the framework.

Both McAfee and cybersecurity company FireEye agreed on the cause of the vulnerability. This is mainly because, according to McAfee, the malware can not bypass the said Microsoft Office feature. Due to the it being a logical bug, it can also navigate around any memory-based mitigations.

Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks. Check the box next to "RTF" to ensure that type of file can not be opened by Microsoft Office.

Other reports by TheDailyFarc

Discuss This Article